High

Missing Conditional Access Policies

Q: Why does it matter?

What this means Your tenant has no Conditional Access policies configured (or all existing policies are disabled). Conditional Access is Microsoft's zero-trust policy engine — it evaluates signals like user location, device state, and risk level to decide whether to allow, block, or require MFA for each sign-in. Why is it a security risk? Without Conditional Access, any valid credential grants access from any location, any device, and any risk level. You cannot enforce MFA for risky sign-ins, block legacy authentication, or restrict access to compliant devices. Microsoft considers Conditional Access a foundational security control for every Entra ID tenant. Recommended next steps Go to Microsoft Entra admin center → Protection → Conditional Access . Start with the common policy templates — these cover the most impactful scenarios. At a minimum, create policies to: require MFA for all users , block legacy authentication , and require MFA for admin roles . Use report-only mode first to validate impact before enforcing.

Checks if Conditional Access policies are configured

Category: Access Control
Default severity: High
Rule key: CHECK_NO_CONDITIONAL_ACCESS
Last updated: February 5, 2026

Why this matters

What this means

Your tenant has no Conditional Access policies configured (or all existing policies are disabled). Conditional Access is Microsoft's zero-trust policy engine — it evaluates signals like user location, device state, and risk level to decide whether to allow, block, or require MFA for each sign-in.

Why is it a security risk?

Without Conditional Access, any valid credential grants access from any location, any device, and any risk level.
You cannot enforce MFA for risky sign-ins, block legacy authentication, or restrict access to compliant devices.
Microsoft considers Conditional Access a foundational security control for every Entra ID tenant.

Recommended next steps

Go to Microsoft Entra admin center → Protection → Conditional Access.
Start with the common policy templates — these cover the most impactful scenarios.
At a minimum, create policies to: require MFA for all users, block legacy authentication, and require MFA for admin roles.
Use report-only mode first to validate impact before enforcing.

How to fix it

Implement Conditional Access policies for enhanced security

Required Microsoft Graph permissions

EntraAnalyzer needs the following read-only Graph permissions to evaluate this rule:

Directory.Read.All
Policy.Read.All

Run this check on your tenant

EntraAnalyzer evaluates this rule automatically on every scan and emails you the results.

Get started — free first scan →